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We present an adaptation of input/output conformance (ioco) testing principles to families of similar 
implementation variants as appearing in product line engineering. Our proposed product line testing 
theory relies on Modal Interface Automata (MIA) as behavioral specification formalism. MIA en¬ 
rich I/O-labeled transition systems with may/must modalities to distinguish mandatory from optional 
behavior, thus providing a semantic notion of intrinsic behavioral variability. In particular, MIA 
constitute a restricted, yet fully expressive subclass of I/O-labeled modal transition systems, guar¬ 
anteeing desirable refinement and compositionality properties. The resulting modal-ioco relation 
defined on MIA is preserved under MIA refinement, which serves as variant derivation mechanism 
in our product line testing theory. As a result, modal-ioco is proven correct in the sense that it coin¬ 
cides with traditional ioco to hold for every derivable implementation variant. Based on this result, a 
family-based product line conformance testing framework can be established. 


1 Introduction 

Modal transition systems (MTS) constitute an extension to (labeled) transition systems (LTS) by enrich¬ 
ing the transition relation with a may /must dichotomy fT3lfTT1l . This way, behavioral system specifica¬ 
tions based on MTS leave open implementation freedom by distinguishing mandatory from optional be¬ 
haviors, thus imposing a rigorous notion of (semantic) refinement I0. Considering Input/Output-labeled 
MTS in particular, they provide a suitable foundation for interface specifications of component-based 
systems D3. MTS incorporate a natural notion of interface compatibility and, thereupon, enjoy desir¬ 
able compositionality properties, being imperative for a comprehensive interface theory fl8l l4ll. 

Based on the work of Fischbein et al. in iflOll . Larsen et al. propose in lfl2ll to use modal speci¬ 
fications as a basis for a behavioral variability theory for software product lines 0- A product line, 
therefore, comprises a family of well-defined implementation variants derivable from modal specifica¬ 
tions using modal refinement, where the validity of a variant is further restricted due to its compatibility 
with other components and/or a given environmental specification. Based on this compact representa¬ 
tion of families of implementation variants, a verification theory for product lines has been developed 
in |0, combining MTS with deontic logics to further restrict variable behaviors. Those approaches allow 
for model-checking temporal properties on entire families of implementation variants without explicitly 
considering every particular variant, which is referred to as family-based product line analysis lfT9l . 

However, besides those appealing family-based product line verification approaches, the applicabil¬ 
ity of modal specifications as a formal foundation for a family-based product line testing theory has not 
been intensively considered so far. In particular, the input/output conformance testing theory, initially 
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introduced by Tretmans in |[ 20| . is one of the most established formal frameworks to reason about fun¬ 
damental properties of (model-based) functional testing approaches. For this purpose, the ioco relation 
imposes a notion of observational equivalence lH~6ll between a test model specification, given as an I/O- 
labeled transition system, and a (black box) implementation under test, requiring the implementation 
behaviors to conform to the specified behaviors. 

To the best of our knowledge, there currently exist two approaches adapting I/O-conformance testing 
principles to product lines. In Beohar and Mousavi @, featured transition systems (FTS), initially pro¬ 
posed by Classen et al. j8j, are equipped with I/O labels to enrich the ioco relation with explicit feature 
constraints. This way, a family-based I/O-conformance testing framework can be established, based on 
constraint-solving capabilities as used in Q for product line model checking. In contrast, the approach 
proposed in Ifl4l . called mioco, adapts the key concepts of ioco to modal product line specifications 
where I/O-labeled MTS (IOMTS) are used as specifications of product lines under test. A correspond¬ 
ing family-based I/O-conformance testing theory can be built upon the notions of modal refinement and 
composition lfl2l . In this paper, we present an improved elaboration of this initial approach to serve as 
a sound basis for family-based product line conformance testing. In particular, we make the following 
contributions. 

• We consider a novel class of I/O-labeled modal transition systems, i. e., Modal Interface Automata 
(MIA) fl31l . instead of IOMTS. MIAs slightly restrict IOMTS to guarantee desirable refinement 
and compositionality properties. 

• We define the conformance relation miocoMiA to relate product line implementations to product 
line specifications both given as MIAs. Thereupon, we clarify the assumptions to hold for speci¬ 
fication and implementation in the spirit of classical ioco, e. g., concerning input-enabledness and 
different concepts for input completions. One major challenge is to guarantee a proper treatment of 
the two kinds of implementation freedom apparent in product line specifications, namely variable 
and unspecified behaviors. 

• In addition to the basic result in lfl4l ensuring preservation of mioco on IOMTS under refinement, 
we obtain strong results for our novel conformance relation miocoMiA* concerning soundness and 
completeness. Therefore, miocoMiA reflects the essence of family-based product line analysis by 
means of I/O-conformance testing |fl9l . 

Here, we focus our considerations to testing single components, and, therefore, also omitting T transitions 
within modal specifications. However, the results obtained in this paper pave the way to a compositional 
and family-based product line testing theory. 

The remainder of this paper is structured as follows. Sect.[2]provides a brief repetition of input/output 
conformance defined on I/O-labeled transition systems, as well as the foundations of modal transition 
systems. In Sect. [3] we introduce MIA as a new model for product line specifications and describe variant 
derivation semantics in terms of MIA refinement. In Sect. [4j we propose an adaptation of input/output 
conformance notions to MIA and define approaches for achieving input-enabledness via completions. 
Our main result concerning the correctness of modal-ioco on MIA are formulated and proven in Sect. [5] 
Sect. [6] concludes with an outlook on our ongoing and future research directions. 

2 Preliminaries 

We start with an overview on I/O-labeled transition systems and I/O conformance testing. Furthermore, 
we present modal transition systems (MTS) laying the foundation for modal interface automata. 
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Labeled transition systems (LTS) constitute a well-established model for discrete-state reactive sys¬ 
tem behaviors. The behavior of an LTS is specified by means of a labeled transition relation —>C 
Q x act x Q on a set of states Q and an alphabet of actions act. To serve as a test model specification for 
input/output conformance testing, the subclass of I/O labeled transition systems is considered, dividing 
the set act into disjoint subsets of controllable input actions I and observable output actions O. In addi¬ 
tion, internal actions are usually summarized under the special symbol z $ (IDO). However, we do not 
consider z transitions in this paper. 

Definition 1 (I/O Labeled Transition System). An I/O labeled transition system (IOLTS) is a tuple 

(Q,I,0,—>), where 

• Q is a countable set of states, 


• I and O are disjoint sets of input actions and output actions, respectively, and 

• —>C Q x (/IJ O) x Q is a labeled transition relation. 


Note that (IO)LTS usually do not comprise a predefined initial state, as it is either identified with 
its entire set of states Q, or some state cj G Q denoting the initial state. By q —y q' we mean that 

as a short hand for 3q' G Q : q —> q'. We further denote a path 


(q,a,q') g— 

ai a 2 

q o —> qi — 


holds, and we write q - 
• • • ^4 q n —\ — q n by qo -^-y q n , where c = a\ai ■ ■ .a n G (IUO)* is called a trace. 


In the input/output conformance relation (cf. Sect. 2.1 1 , an implementation, represented as an I/O- 
labeled transition system, is assumed to be input-enabled, i. e., to never reject any inputs. This yields the 
subclass of I/O transition systems. 


Definition 2 (I/O Transition System). A state q G Q of an IOLTS Q is input-enabled iff for all i G I, 
there exists a state q' G Q such that q q'. Q is an I/O Transition System (IOTS) iff all q G Q are 
input-enabled. 

In deviation from Tretmans [20i l. we employ strong input-enabledness, as we do not consider internal 
behavior. Figure [T] shows three sample LTS, modeling different valiants of a vending machine. All of 
these vending machines have in common that they accept money in the initial state (the topmost state) 
and are capable of dispensing tea. However, some of them may also dispense coffee and notify the user 
about errors. Transitions are labeled with either input labels (prefix ?), or output labels (prefix !). The 
LTS in Figure [Tb] accepts 1€ or 2€ coins from customers. After inserting 2€, change is returned and the 
customer is allowed to choose coffee or tea, or to refill cups. Next, the vending machine dispenses the 
selected beverage. The LTS in Figure |Ta] is an IOTS, as every state accepts all possible inputs, i. e., I€. 
2€, cups, and tea. Label I denotes that a transition exists for each input symbol, unless a state already 
accepts an input. 


2.1 Input/Output Conformance 

An implementation i, given as an IOTS, I/O-conforms to a specification s, given as an IOLTS, if all 
observable output symbols of i after any possible input sequence a of s are permitted by s. That means 
that a system specification states the allowed output behavior. For this to hold, the set Out(P ) of output 
actions enabled in any possible state p G P of i reachable via a sequence a, denoted by P = i after a, 
must be included in the corresponding set Out(Q) with Q = s after a. To rule out trivial implementations 
never showing any outputs, the concept of quiescence is introduced by means of an observable action 
8 to explicitly permit the absence (suspension) of any output in a state. The definitions of this section 
follow f20l . 
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(a) 


(b) 


(c) 


Figure 1: Sample LTS of a simple vending machine, adapted from llT4l . 


Definition 3. Let Q be an IOLTS, p £ Q, P C Q, and <7 £ (7UOU{5})*. 

• init(p) := {p £ (7UO) | p 

• p is quiescent, denoted by S(p), iffinit(p) C I, 

• patter <7 :={q F Q | p -A <?}, 

• Out(P) := {p £ O | zip £ P : p U {5 | £ P : S(p)}, and 

• Straces(p) := {a £ (7UOU{5})* | p —l}, where q —y q iff 8(q). 

I/O conformance requires any reaction of an implementation i to every possible environmental be¬ 
havior <7 to be checked against those of its specification s, even if no proper reaction for <7 is actually 
specified by s. Hence, conformance testing is usually limited to positive testing, i. e., only considering 
behaviors being explicitly specified in s, i. e., contained in the suspension traces (Straces(s)) of s. 

Definition 4 (Input/Output Conformance). Let s be an IOLTS and i an IOTS with the same sets of inputs 
and outputs, iioco.s Va £ Straces(s) : Out (i after a) C Out (s aftera). 

Assuming the IOLTS of Figure [lc] to be a specification s and the IOTS of Figure [la] to be an imple¬ 
mentation i, then i ioco v holds, as i does not show any unspecified output behavior. However, considering 
the IOLTS of Figure [Tb] as a specification ,s for i, then / ioco s does not hold as / exhibits output behavior 
error, violating conformance of / to s. 

The ioco relation permits implementation freedom as only one specified output behavior must be 
implemented. In addition, if there are unspecified inputs for state q in the specification s, then an imple¬ 
mentation may react with arbitrary outputs to those unspecified inputs, as those behaviors do not occur 
in the suspension traces of s and are, therefore, never tested. However, for product lines, we further need 
the possibility to (1) explicitly express variability within specifications and, therefore, to (2) distinguish 
mandatory from optional behavior, which leads us to Modal Transition Systems (MTS). 









L. Luthmann, S. Mennicke & M. Lochau 


5 





(a) Specification 


(b) Correct implementation 


(c) Incorrect implementation 


Figure 2: Figure [2a] shows an MTS combining all systems from Figure [I] Figures 2b and 2c show a 
correct and an incorrent implementation regarding miocoMiA (see Section[4j). 


2.2 Modal Transition Systems 

To specify behavioral variability of product lines, we use Modal Transition Systems (MTS) according 
to Larsen ifTTi [12 1 as a basis. MTS are based on LTS but distinguish between so called must and may 
transitions, specifying mandatory behavior as well as allowed behavior, respectively. By definition any 
must transition is a may transition as any mandatory behavior must also be allowed. Therefore, only 
may transitions not underlying must transitions denote optional behavior. Accordingly, we call may 
transitions that are not must transitions optional and must transitions mandatory. Additionally, absent 
transitions denote forbidden behavior. 

Definition 5 (Modal Transition System). A tuple Q = (Q, A, —»□, — >o) is a Modal Transition System 
(MTS) iff 

• Q is a finite set of states, 

• A is a set of actions, 

• —>□ C Q x A x Q is the labeled must transition relation, 

• —>o C Qx Ax Q is the labeled may transition relation, and 
Q is syntactically consistent, i. e., q q' implies q <fi ■ 

Note that, in our setting, we assign I U O to A which defines I/O-labeled MTS. MTS allow us to 
superimpose several systems into one larger system, from which the original systems are derivable via 
modal refinement. Therefore, modal refinement preserves mandatory and forbidden behavior, whereas 
optional behavior may turn into either mandatory or forbidden behavior. Figure[2a]shows a sample MTS. 
Therein, solid edges depict mandatory behavior and dashed edges depict optional behavior. The MTS in 
Figure [2a| combines all IOLTS from Figure [T] into one. This is achieved by making the behaviors being 
common to all IOLTS variants mandatory behaviors, whereas the variable behaviors become optional 
in the MTS. Larsen etal. |[T2l also defined input-enabledness for MTS and an according input-enabled 
MTS version to be called I/O modal transition systems (IOMTS). However, there are two flavors of 
input-enabledness: must-input-enabledness and may-input-enabledness, both being defined as canonical 
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extensions of Def. [2] A may-input-enabled MTS is called I/O-labeled MTS (IOMTS). For an overview 
on IOMTS and the according I/O-conformance relation, we refer to fl4l . Another option for adding 
modalities to system specifications are Modal Interface Automata, being a restricted subclass of IOMTS. 

3 Modal Interface Automata 

The model we employ in this paper is called Modal Interface Automata (MIA) which are basically input- 
deterministic I/O-labeled MTS. Input-determinism is a desirable property in model-based testing, as it 
makes testing procedures manageable by ensuring that some inputs are not infinitely often neglected 
during test scenarios, as imposed by non-deterministic inputs. Furthermore, specified inputs are always 
mandatory, but unspecified inputs are implicitly allowed. This restriction yields refinement and com¬ 
position properties beneficial for both modeling product line specifications and implementations with 
behavioral variability, as well as modal I/O-conformance testing as described in Sect. [4] The MTS 
depicted in Figure [2] are in fact MIAs, as they exhibit input-determinism and every input transition is 
mandatory. 

Definition 6 (Modal Interface Automaton). A tuple Q = (Q. I. O. —>□, — yf) is a Modal Interface Au¬ 
tomaton (MIA), where ( Q,lUO , —>□, —>o) is an MTS with disjoint alphabets I, O and for all i £ I: 

• q —An q' and q — q" implies q' = q" (i. e., we require input-determinism), 

• q — q' implies q —An c{ (i. e., all inputs are mandatory behavior). 

In deviation to Liittgen and Vogler 031 . we do not employ disjunctive MTS, as they are not needed 
for our puiposes. Furthermore, we limit our considerations to MIAs without internal behaviors, i. e., z 
transitions, which is no limitation, as all our results remain valid for MIAs with internal behavior. For 
future work, we plan to investigate our testing theory under parallel composition for which a treatment of 
internal transitions is inevitable. Liittgen and Vogler define an operator for parallel composition of MIA 
similar to interface automata fT|. They identify error states arising from the composition of incompatible 
states, and remove them, as well as all states from which reaching some error state is no more preventable 
by environmental inputs. This is similar to the operator by Larsen et al. Ifl2ll . but, in contrast to IOMTS, 
composability of MIA is based on the compatible component semantics rather than syntactic criteria. 

Each input transition of a MIA is, by definition, mandatory. However, this does not limit the ex¬ 
pressiveness of MIA compared to IOMTS, as input transitions are always implicitly allowed by modal 
refinement. Modal refinement is a crucial notion in modal theories, as they constitute an implementa¬ 
tion relation that preserves mandatory behaviors, but also leaves implementation freedom concerning 
optional and unspecified behaviors. Intuitively, a MIA p refines q if (1) the optional output behavior of 
p is simulated by q, and (2) all mandatory behavior of q is simulated by p, thus imposing an alternating 
simulation m. 

Definition 7 (MIA Refinement). Let P. Q be MIAs over I and O. A relation £& C P x Q is a MIA- 
refinement iff for all ( p,q ) £ Sft: 

1. q -%□ q' where a£/UO implies 3p': p -%□ p' and (p' ,q') £ £%, 

2. p ~—t() p' where a £ O implies 3q' : q —>■(> q' and (p',q') £ £#. 

If there is a MIA-refinement S/f such that ( p,q ) £ then p MIA-refines q, denoted by p Cmia L l- 

The most desirable property for composition operators in modal system theory is their preservation 
of modal refinement. Liittgen and Vogler show this to hold for parallel MIA composition, and also for 


L. Luthmann, S. Mennicke & M. Lochau 


7 


conjunction and disjunction of MI As lfT5l . In contrast to MTS, not all unspecified transitions of MIAs 
refer to forbidden behavior, but only those being outputs. Input transitions are always implicitly allowed 
and, therefore, in Def. [7} only optional outputs of the refined MIA must be simulated by the unrefined 
one. 

In this paper, we interpret MIAs with mandatory and optional behaviors as families of similar system 
variants. In this regard, the refinement notion serves variant derivation such that in p Emia 7 , P rep¬ 
resents a valiant of q, where a (partially) refined p may still contain optional behavior. Furthermore, as 
unspecified inputs are implicitly allowed under MIA-refinement, p may also contain additional behav¬ 
iors, which is not feasible for a product line specification. In order to obtain a sound variant derivation 
mechanism, we require it to finally yield an IOLTS, which does not incorporate optional behavior. Hence, 
this IOLTS variant p refines a MIA q, but is restricted to behaviors allowed in q. 

Definition 8 (Variant Derivation). Let (P,I, O. —>) be an IOLTS and Q be a MIA over 1 and O. p G P 
is a variant of q G Q, denoted by p C var q, iff (1) p Emia L e -> there A a MIA-refinement Iff- between 
( P. I , O, —L —>) and Q such that ( p,q ) G Iff. and (2) —>C— 

Thus, a variant derivation is a special kind of MIA-refinement, ensuring that every optional transi¬ 
tion of the specification is either removed from, or definitely included in the variant. There is a close 
relationship between traces of variants p Evar <? and may-traces of q. 

Lemma 1. Let P be an IOLTS with p G P and Q a MIA with qCQ. Ifp Evar C I> then for each w G (IUO)* 
with p —> it holds that q —><>. 

Based on MIA refinement and MIA variant derivation mechanism, we define a modal version of ioco. 

4 I/O Conformance Testing for MIAs 

In Sect. |2.1[ we have already discussed I/O conformance on IOLTS, allowing a certain degree of vari¬ 
ability in implementations. However, we propose to apply modal specifications to explicitly capture 
variability also within specifications, as being inherent to SPLs. We now define the foundations of modal 
input/output conformance lfT4l and introduce completion strategies for constructing input-enabled modal 
interface automata. 

4.1 Modal Input/Output Conformance 

Intuitively, a modal implementation conforms to a modal specification if it does not exceed the allowed 
outputs (may) and preserves all mandatory outputs (must). We adapt the notion on I/O conformance to 
the MIA-framework, accordingly. 

Definition 9. Let Q be a MIA over I and O, p G Q, P CQ, <7 G (/UOU {6n,5<>})*, an d /G {□, 0}- 

• inity(p) := {p G (/U O) \ p -^ffy}, 

• p is may-quiescent, denoted by 8§(p), iff initffp) C I and p is must-quiescent, denoted by 8-(p), 
iffinit()(p) Cl, 

• p after r a := {<7 e Q I p 

• OutyfP ) := {p G O | 3p G P : p -^ 7 } U {5 r | 3p G P : 8y(p)}, and 

• Stracesy(p) := {a G (7UOU{5})* | p where q q iff8y(q). 
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Due to the property of syntactic consistency of MIAs, similar properties are induced for the notions 
of Def. [ 9 J For instance, inito(p) C I implies initn(p) E I as a G I, q —^0 4 implies q -%□ q' and, 
therefore, must-quiescence of any state p implies may-quiescence of p. 

Proposition 1. Let Q be a MIA over I and O, p G Q, P C Q, and o G (/UOU {5y,5n})*. Then the 
following statements hold. 

1. initu{p ) E init/)(p), 

2. if 8 q(p), then 8^(p), 

3. p aftern a C p after/) a, 

4. Outn(P) E Outq{P), and 

5. Straceso(p) E Straces^(p). 

Proofs follow from Def. [6] and Def. [9] Due to the required input-determinism, MIAs may only show 
non-determinstic behavior due to conflicting output transitions. Thus, when considering a trace w of a 
state q, it holds that | q aftery w| > 1. Considering MIA-refinement p Emia <7> each state in p aftery w 
relates to some state in q aftery w. Conversely, the same holds for states of p aftern w and q aftern w. 

Lemma 2. Let p,q be MIAs such that p Emia <?■ 

1. Vcj G (/UOU {<5y})* : q aftery a / 0 =>■ Mp' G p aftery a :3q' G q aftery a : p' Emia 4 

2. Vcj G (/UOU{cfc]})* : p aftern c / 0 => Mq’ G q aftern a : 3p’ G p aftern cr: p’ Emia 4 

This property is very useful when arguing on paths of MIAs related under MIA-refinement (cf. The¬ 
orem [2]). While for MTS we distinguished may from must input-enabledness, there is no difference 
between both in case of MIA, as inputs in MIAs are mandatory. 

Definition 10 (Input-Enabledness for MIA). A MIA Q is input-enabled iff for all q G Q and for all i G I, 
it holds that q — U-n. 

Henceforth, we require product line implementations i to be given as input-enabled MIAs in order 
to meet the assumptions originally made by ioco that implementations do not deadlock while processing 
inputs not being serviced by the implementation. Input-enabledness of MIA is preserved under MIA- 
refinement. 

Lemma 3. Let q,r be MIAs over I and O such that r Emia q■ If q is input-enabled, then r is input- 
enabled. 

This also holds for variant p derived from q. In ioco, no distinction is made between specified manda¬ 
tory and optional behavior. A first conformance relation supporting optional behaviors is mior llT4ll . It 
holds that /mior s in case of trace inclusion of may-suspension-traces as well as must-suspension-traces, 
respectively. However, if we interpret the set of must-behaviors specified by s as the product line core 
behavior incorporated by all valiants, this notion of conformance fails to fully capture this intuition. 
Suspension trace inclusion solely ensures some behaviors of the specified behaviors to be actually im¬ 
plemented (if any), but it does not differentiate within the set of allowed behaviors between mandatory 
and optional ones. 

Figure [2] illustrates the weakness of mior. Assuming Figure [2a] as specification and the other two 
Figures to be implementations, then both implementations are correct under mior. For Figure [2b] this is 
obvious as only optional behavior is left out. The problem of mior is depicted in the implementation of 
Figure [2c] Therein, the mandatory behavior outputting the cup after the input tea is left out but the mior 
relation still holds as no behavior is added. This contradicts the intention of mandatory behaviors as core 
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behaviors of all product line variants. To overcome this drawback, consider an alternative definition for 
I/O conformance, denoted by mior< lfl4l . being closer to the very essence of modal refinement requiring 
alternating suspension trace inclusions. The mior< relation requires implementation i to show at least 
all mandatory behaviors and at most the allowed behaviors of a specification s. Following this idea, the 
respective modal version of ioco is defined as follows. 


Definition 11 (Modal Input/Output Conformance). Let s, i be MIAs over I, O and i being input-enabled. 
/mioco M |A .v iff 

1. Va G St races/) (s) : Outq{i aftero a) C Outq(s after y cr), and 

2. Va G Stracesa(i) : Out- (s aftern a) C Outffi aftern a). 


In the first part of checking /miocoMiA A we consider all specified suspension-traces and essentially 
check / ioco.v. In the second part, we only consider must-suspension-traces of i and essentially check 
v ioco i. That way, we make sure that the implementation does not add forbidden behavior or ignores 
mandatory behavior. Requiring input-enabledness for specifications of i is infeasible for realistic test 
modeling approaches. However, an artificial input-enabledness for incomplete specifications of i may 
always be achieved by completions of i (cf. Sect. 4.2 1 . 

Let us reconcile Figure [2] with the miocoMiA relation instead of mior. Again, Figure [2a| depicts the 
specification and the other two figures represent the implementations. The implementation in Figure [2b] 
is still correct, whereas that in Figure |2c] discards the mandatory action !cup after the action ‘/tea, thus 
being incorrect regarding miocoMiA- 

MIA-refinement is considered in two ways, first as an implementation relation ( Emia) and second 
as a relation for valiant derivation (Evar)- For miocoMiA to yield a family-based conformance testing 
relation, it should be preserved by Evar , i- c., if i miocoMiA s is checked for a product line implementation 
i and its specification s, then this check can be neglected for the variants derivable from i. Due to the fact 
that implementations are input-enabled, miocoMiA is a l so preserved by Emia ■ 


Proposition 2 (MIA-Refinement preserves ithocomia)- Let s, i be MIAs over I and O such that i is input- 
enabled. //'/miocoMiA-v, then for alii' Emia / it holds that /'miocoMiA v - 

Proof. The fact /miocoMiA^ implies that Out a (/ aftero a) C Out/) (s aftero a) for all a G Stracesq(s ) 
holds and Outa(s aftern a) C Outu(i aftern a) for all a G Stracesuff) holds as well. Let i' be a 
MIA such that i! Emia *• Due to Lemma [2] and Lemma |3j i! is input-enabled and for all a G (/ LJ O LJ 
{<5y})*, it holds that Out/fi' aftero a) C Outffi aftero a). By transitivity of C, Outo(i' aftery a) C 
Outo(s aftery a) holds for all a G Straces(){s) C (/UOU{5y})*. 

We now prove that also Out^ (s aftern a) C Outffi' aftern a) for all a G St races ffi'). As i is input- 
enabled, it holds that Outu{i aftern a) C Outfit aftern a) for all a G (/IJ O U {fP})*. Therefore, 
Outu{s aftern a) C Outuff aftern a) holds for all a G Stracesn(i') C (/ U OU {5n}) by ttansitivity of 
C. Thus, /'miocoMiA 5 - □ 

Next we show how to achieve input-enabledness by so-called completions. 


4.2 Completions for MIA 

In m ioco mi a- we permit states to be underspecified, i. e., we may leave open how a state q G Q of 
an implementation behaves in case of action a G (/U O) if q ■/->■ y. Underspecification comes in two 
flavors: underspecification of input actions and underspecification of output actions. Underspecification 
of output actions is explicit, i. e., a state can only perform outputs attached to one of its transitions. In 
contrast, underspecification of input actions is implicit, i. e., a state accepts every possible input of the 
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(a) Specification (b) Angelic completion (c) Chaotic completion 

Figure 3: Specification of a simplified vending machine and two completion strategies, where I denotes 
one transition for both ?coffee and ?teci. 


input set (even if there is no dedicated transition). In this section, we present two transformations from 
underspecified to specified MIA accepting every possible input action, namely angelic completion and 
chaotic completion. Both completions are described using the underspecified MIA depicted in Figure [3a] 
In this MIA with I = {coffee, tea} the two lower states are underspecified. One possibility for completion, 
called angelic by Vaandrager ll2ll . is to ignore unspecified inputs. An angelically completed automaton 
MIAac of a given MIA is obtained by adding self-loop transitions to every state q e Q for every input 
i e / not being accepted by the state. In Figure [3bJ we added self-loops to the bottom states for input 
actions coffee and tea. 


Definition 12 (Angelic Completion). Given a MIA ( Q,I , O, —>□, — >o), its angelic completion MIAac 
is defined as ( Q,I , O. — ff. —where 

• —>□=—>n G{(q,i,q) \ q E Q, iel, q /4n}, and 


= — >< > U{(q,i,q)\q eQ, i € I, ^ Aol- 


Chaotic completion is also based on the work of Vaandrager lf2D . where the automaton is no more 
able to do any outputs as soon as an unspecified input occurred. A chaotically completed automaton 
MIAcc is obtained by adding a fresh error state which is entered whenever an unspecified input actions 
occurs. In Figure [3c} we added transitions from the states with underspecified input behavior to the error 
state. Note that the error state is a so-called sink state, because once reached, it will never be left. 


Definition 13 (Chaotic Completion). Given a MIA ( Q,I , O, —>□, — >§), its chaotic completion MIAcc 
is defined as (Q 1 , /, O , —>' n , — A), where 

• 0! = QC{q E }, where q E i Q, 


• —>□=—>□ U{(q,i,q E )\q G Q, i E I, q /4n}U {(q E , A,^r £ )|A el}, and 

• — >o= — ^0 0{(q,i,q E )\q £ Q, i €/, q A^ol U {{q E ,X,q E )\X el}. 

These results complete our discussions on modal testing theory based on MIA. We now consider 
soundness and completeness notions for miocoMiA ar| d give corresponding proofs. 


5 Correctness of miocoMiA 

In order to serve as a reliable basis for family-based product line conformance testing, it is necessary for 
miocoMiA to be (1) sound, i. e., whenever /miocoMiA^ holds, then each implementation variant derivable 
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Figure 4: Each variant of / conforms to 5 (ioco), but /miocoMiA' 5 does not hold. 


from / also conforms to a variant of s, and (2) complete, i. e., whenever all variants of / are correct w. r. t. 
ioco and to the product line specification s, then /miocoMiA' 5 holds. In this section, we prove soundness 
of miocoMiA and discuss under which conditions completeness of miocoMiA may be obtained. When¬ 
ever we use miocoMiA 1° show that a modal implementation / conforms to the modal specification s, 
for each variant /' C var / there is a variant / C var s such that /'ioco/ holds. By checking /miocoMiA^ 
once, checking each and every variant of / against some variant of s can be omitted. This is a remark¬ 
able improvement compared to variant-by-variant conformance testing, due to the exponentially growing 
number of valiants /' in the number of optional transitions of /. 

For soundness, we need to take into account that all considered /' are variants derived from /. By 
Def. [8] each /' contains at most those transitions being may transitions of /. Therefore, / restricts the set 
of possible transitions of /' and as /miocoMiA s holds, also s restricts the set of possible transitions of s'. 
It is sufficient that the output behavior of /' is included in that of s', but not vice versa. We, therefore, 
choose a single s' for each /' C var Z, the Fomily-LTS ofs, denoted by Sf am , consisting of all may transitions 
of 5 . If Q (q) is a MIA, then Q fam ( q fam ) is the LTS with Q fam = Q and —> fam =—> (/ . As —> fam =—> 0 
and, therefore, — >f am C—> 0 , it holds that qf am C var q for every MIA q. Using s' = Sf am enables us to 
prove soundness. 

Theorem 1 (Soundness). Let s and i be MIAs such that i is input-enabled. If /miocoMiA s, then for all 
i! C var i, there exists some s' C var 5 such that /'ioco/ holds. 

Proof. We prove /miocoMiA 5 =>■ V/' Evar /: 3/ Evar s : /'ioco/ by contradiction. We choose / to be Sf am 
for all /' Evar /. Assume that there is an /' Evar / such that /' ioco sj am does not hold, i. e., there exists a 
a € Straces(sf am ) such that Out(i! aftera) / Out (s' after a). By Lemma[IJ a G Straces( } (s) and by con¬ 
struction of Sf am it holds that Out(sf am aftera) = Out^(s after^ a). It also holds that Out(i' aftera) C 
Outq(i aftero a), which implies that Outq(i after<> a) / Out<)(s after/) a) contradicting the assump¬ 
tion that /mioc(>MiA‘V. Thus, there is no /' C var / such that /' ioco s/ am does not hold. □ 

The converse does not hold in general. Consider the MIAs of Figure [4] where s/ am = s and each 
variant /' C var / exhibits /'ioco.v. However, /miocoMiA' 5 does not hold, as s specifies an output b as 
mandatory while in /, the ^-transition is optional. We observe that each ioco check does not cover 
the fact that mandatory behavior of the specification s must also be mandatory behavior of /. This is 
due to the fact that in ioco only allowed outputs may be implemented, but an obligation to implement 
any output, as imposed by must-modalities, is not covered. If we ensure that mandatory behavior of s 
is preserved by /, as e. g., under MIA-refinement, the completeness claim holds. Thus, we obtain the 
following completeness claim. 

Theorem 2 (Completeness I). Let i,s be MIAs such that i is input-enabled and i Emia s - lff or 
i' Evar i it holds that i' ioco Sf am , then /miocoMiA .v. 

Proof. Assume /miocoMiA- v does not hold, but for all /' Evar i it holds that i'iocosf am . This means that 
(1) there exists a a £ Stracesq(s) such that Out/f i after/) a) f~ Out/ } (s aftero a ) or (2) there exists a 
a e Stracesu(i) so that Out\j(s after^ a) / Outui} after^ a). 


12 


I/O Conformance Testing for SPL based on MIA 


Case (1): It holds that a E Straces/fi). We construct a variant of i respecting a as follows. Let i! Emia 1 
the largest MIA (w. r. t. Emia ) such that whenever i q —^o 4 then i' q -%□ q' . Hence, 
Outa(i' aftern a) = Out( } (i aftero a). i a is the variant of i that includes all must transitions of i!. 
But then Out{i a aftera) = Outui}' aftern a) E Outu{s aftern a) and thus i a ioco ,y am does not 
hold, which contradicts the assumption that all variants of / conform to sj am . 

Case (2): It holds that a E Stracesu{s). As Outa(s aftern a) E Outui} aftern a), there is an s' E 
5 aftern a such that s' -%□ for some a E O, but for all i! E i aftern <7, it holds that i! 

But this contradicts the assumption that i Emia s, as by Lemma [2] there is an i' E i aftern a and 
i' Emia s'. 

Thus, i'iocosf am for all i' Evar i implies that /miocoMiA^- O 

Thus, our miocoMiA framework is sound, and complete in case the implementation is a refined ver¬ 
sion of the specification. When dropping the requirement of i Emia A it is possible to show that if there 
is a variant i' of i such that i' ioco sj am does not hold, then / miocoMiA^ does not hold, either. 

Theorem 3 (Completeness II). Let i,s be MIAs such that i is input-enabled. If there is an i' Evar i such 
that i'iocosfam does not hold, then /miocoMiA^ does not hold. 

Proof. Let i' Evar i be an IOLTS such that i' ioco sj am does not hold, i. e., there exists a a E Straces(sf am ) 
so that Out {f aftera) E Out(sf am aftera). By Lemma[T| a E St races q (s) and also Out$(i after^ a) f 0. 
From the construction of Sf am , Out/f i aftero CJ ) % OutQ (s aftero a ) implying /miocoMiA- v does not 
hold. □ 

Theorem[f]ensures that whenever miocoMiA is established between product line implementation i and 
product line specification s, then each variant i' derived from i I/O-conforms to sj am . Correspondingly, 
Theorem [2] and Theorem [3] state that whenever miocoMiA cannot be established between i and s , then 
there is at least one variant i! of i not I/O-conforming to s/ am . According to Theorem |2j this is only 
ensured if i Emia s holds. Summarizing, our miocoMiA reflects the essence of family-based product line 
analysis lfl9l by means of I/O-conformance testing. 

6 Conclusion and Future Work 

In this paper, we proposed a family-based I/O-conformance testing theory for product lines based on 
Modal Interface Automata, which is sound and complete w. r. t. variant-by-variant I/O-conformance test¬ 
ing based on IOLTS. As future work, we plan to exploit the MIA framework for its compositionality 
properties to obtain criteria for compositional I/O-conformance testing of product lines. Therefore, deal¬ 
ing with internal actions, excluded from this papers’ considerations, is inevitable. However, the results 
we obtained throughout this paper canonically extend to the case of MIAs with internal actions. This 
way, we obtain a similar variability concept as Larsen et al. lfl2ll . which is based on modal refinement 
and the ability of composition with an environmental specification validating implementation variants. 
Furthermore, we plan to implement our theory, based on a miocoMiA-extended version of JTorX HI to 
provide an applicable tool for efficient product line I/O conformance testing. 
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